gh-98331: Update bundled pip to 22.3

[pfmoore]

• Issue: Update bundled pip to 22.3 #98331

[pfmoore]

@pablogsal It would be good if this could be included in the Python 3.11 final release, although I appreciate it's very late notice.

I should note that the new version of pip was just released this weekend, and if there are issues we could need to follow up with a bugfix release. While I hope there won't be any issues (there are no major changes in this release) obviously I can't guarantee that. I would be pushing hard for any such bugfix release to happen before next weekend, if one were needed. I don't know whether this possibility would affect your decision about including this patch (and/or any possible bugfix release) in 3.11 final, but I thought I should make you aware 🙂

I'll set up a backport to 3.11, for inclusion in 3.11.1, regardless.

[pablogsal]

Thanks for checking with me! 👍

One thing that would help me evaluate the risk better is if you could walk me through what improvements or bugfixes are important to get into 11.0.0. Is there any security fix or similar?

[pfmoore]

There's no major changes in 22.3 that are critical. The main reason for bundling the latest version is to allow users to not have to upgrade pip immediately on installing Python or creating a venv. So it's mostly a "quality of life" improvement, in that sense. Having the bundled pip be out of date is far from unusual, but it feels off to release a new version of pip and then immediately release a Python version that has an out of date pip¹.

The only security-related change is that this version of pip bundles the latest certifi, so the certificates we use are more up to date. That's arguably important, but I wouldn't over-emphasise it (after all, we don't rush pip releases every time certifi adds new certificates, so it'd be hypocritical for me to try to claim it's crucial here...)

Footnotes

1. We are talking about trying to bring pip's release cycle better into line with Python's, but we didn't manage to make the change for this release. ↩

[pfmoore]

One other question, just to make sure I don't mess anything up - if I merge this and then trigger a backport to 3.11, that will go onto the 3.11 branch ready for 3.11.1, won't it - it won't affect the release branch?

[warsaw]

I went ahead and approved it, but you should also wait for @pablogsal 's approval.

[pfmoore]

@pablogsal A gentle reminder - am I OK to merge and backport this for 3.12/3.11.1 etc?

[pablogsal]

@pablogsal A gentle reminder - am I OK to merge and backport this for 3.12/3.11.1 etc?

Apologies for the delay!

Yeah, doing the backport is ok. I am still thinking about including it in 3.11.0, but I think it makes sense.

[miss-islington]

Thanks @pfmoore for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

[miss-islington]

Thanks @pfmoore for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

[bedevere-bot]

GH-98399 is a backport of this pull request to the 3.10 branch.

[bedevere-bot]

GH-98400 is a backport of this pull request to the 3.11 branch.

[pfmoore]

I am still thinking about including it in 3.11.0, but I think it makes sense.

FWIW, we haven't had any major issues reported, so I'm (cautiously!) optimistic that we won't need a 22.3.1 bugfix release.